Some cleaning + read /dev/kmsg

Author: ShellCode33

.gitignore

@@ -11,5 +11,8 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
+# Goland
+.idea/
+
 # Dependency directories (remove the comment below to include it)
 # vendor/

README.md

@@ -17,4 +17,5 @@ Coming soon...
 ## Resources
 
 ![systemd-detect-virt source code](https://github.com/systemd/systemd/blob/master/src/basic/virt.c)
+
 ![Malware evasion techniques](https://www.deepinstinct.com/2019/10/29/malware-evasion-techniques-part-2-anti-vm-blog/)

main.go

@@ -1,23 +1,19 @@
 package main
 
 import (
-	"VMDetect/vmdetect"
+	"VM-Detection/vmdetect"
 	"fmt"
 )
 
 func main() {
-	fmt.Println("Trying to vmdetect if a VM is running...")
+	fmt.Println("Trying to detect if a VM is running...")
 
-	isInsideVM, reason, err := vmdetect.IsRunningInVirtualMachine()
-
-	if err != nil {
-		panic(err)
-	}
+	isInsideVM, reason := vmdetect.IsRunningInVirtualMachine()
 
 	if isInsideVM {
-		fmt.Printf("VM detected thanks to %v\n", reason)
+		fmt.Printf("\nVM detected thanks to %v\n", reason)
 	} else {
-		fmt.Println("No VM has been detected")
+		fmt.Println("\nNo VM detected")
 	}
 
 }

vmdetect/common.go

@@ -0,0 +1,11 @@
+package vmdetect
+
+import "fmt"
+
+func PrintError(loggee interface{}) {
+	fmt.Printf("[x] %v\n", loggee)
+}
+
+func PrintWarning(loggee interface{}) {
+	fmt.Printf("[!] %v\n", loggee)
+}

vmdetect/linux.go

@@ -1,85 +1,72 @@
-// +build linux darwin
+// +build linux
 
 package vmdetect
 
 import (
 	"bytes"
-	"fmt"
+	"os"
 	"os/exec"
-	"os/user"
 )
 
 /*
-	Checks if the program is being run using root.
- */
-func isRunningWithAdminRights() (bool, error) {
-	if currentUser, err := user.Current(); err != nil {
-		return false, err
-	} else {
-		return currentUser.Uid == "0", nil
+	Checks if the DMI table contains vendor strings of known VMs.
+*/
+func checkDMITable() bool {
+	// TODO : instead of running a command, read files in /sys/class/dmi/id/* and look for vendor strings below
+	output, err := exec.Command("dmidecode").Output()
+
+	if err != nil {
+		PrintError(err)
+		return false
 	}
+
+	return bytes.Contains(output, []byte("innotek")) ||
+		bytes.Contains(output, []byte("VirtualBox")) ||
+		bytes.Contains(output, []byte("vbox"))
 }
 
 /*
-	Tries to vmdetect VM using privileged access.
- */
-func privilegedChecks() (bool, string, error) {
+	Checks printk messages to see if Linux detected an hypervisor.
+*/
+func checkKernelRingBuffer() bool {
 
-	output, err := exec.Command("dmidecode").Output()
+	file, err := os.Open("/dev/kmsg")
 
-	if err == nil &&
-		(bytes.Contains(output, []byte("innotek")) ||
-		bytes.Contains(output, []byte("VirtualBox")) ||
-		bytes.Contains(output, []byte("vbox"))){
-		return true, "dmidecode", nil
+	if err != nil {
+		PrintError(err)
+		return false
 	}
 
-	output, err = exec.Command("dmesg").Output()
+	buffer := make([]byte, 1024*8)
 
-	if err == nil && bytes.Contains(output, []byte("Hypervisor detected")) {
-		return true, "dmesg", nil
-	}
-
-	return false, "", nil
-}
-
-/*
-	Tries to vmdetect VM using unprivileged access.
- */
-func unprivilegedChecks() (bool, string, error) {
-	output, err := exec.Command("hostnamectl").Output()
+	// Only reads the first 100 lines (reading character device in Go is annoying)
+	for i := 0; i < 100; i++ {
+		if _, err = file.Read(buffer); err != nil {
+			PrintError(err)
+			return false
+		}
 
-	if err == nil && bytes.Contains(output, []byte(" vm\n")) {
-		return true, "hostnamectl", nil
+		if bytes.Contains(buffer, []byte("Hypervisor detected")) {
+			return true
+		}
 	}
 
-	return false, "", nil
+	return false
 }
 
 /*
 	Public function returning true if a VM is detected.
 	If so, a non-empty string is also returned to tell how it was detected.
- */
-func IsRunningInVirtualMachine() (bool, string, error) {
-	isAdmin, err := isRunningWithAdminRights()
+*/
+func IsRunningInVirtualMachine() (bool, string) {
 
-	if err != nil {
-		return false, "", err
+	if checkDMITable() {
+		return true, "DMI Table"
 	}
 
-	if isAdmin {
-		vmDetected, reason, err := privilegedChecks()
-
-		if err != nil {
-			return false, "", err
-		}
-
-		if vmDetected {
-			return true, reason, nil
-		}
-	} else {
-		fmt.Println("[WARNING] Running as unprivileged user")
+	if checkKernelRingBuffer() {
+		return true, "Kernel Ring Buffer"
 	}
 
-	return unprivilegedChecks()
-}
+	return false, "nothing"
+}

vmdetect/windows.go

@@ -2,51 +2,10 @@
 
 package vmdetect
 
-/*
-	Checks if the program is being run in a privileged context.
-*/
-func isRunningWithAdminRights() (bool, error) {
-	return false, nil
-}
-
-/*
-	Tries to vmdetect VM using privileged access.
-*/
-func privilegedChecks() (bool, string, error) {
-	return false, "", nil
-}
-
-/*
-	Tries to vmdetect VM using unprivileged access.
-*/
-func unprivilegedChecks() (bool, string, error) {
-	return false, "", nil
-}
-
 /*
 	Public function returning true if a VM is detected.
 	If so, a non-empty string is also returned to tell how it was detected.
 */
-func IsRunningInVirtualMachine() (bool, string, error) {
-	isAdmin, err := isRunningWithAdminRights()
-
-	if err != nil {
-		return false, "", err
-	}
-
-	if isAdmin {
-		vmDetected, reason, err := privilegedChecks()
-
-		if err != nil {
-			return false, "", err
-		}
-
-		if vmDetected {
-			return true, reason, nil
-		}
-	} else {
-		fmt.Println("[WARNING] Running as unprivileged user")
-	}
-
-	return unprivilegedChecks()
-}
+func IsRunningInVirtualMachine() (bool, string) {
+	return false, "nothing"
+}